---
title: Pings and Sweeps
course: intro_pentest
section: Scanning
layout: lesson
---

A ping is a special type of network packet called an ICMP packer. Pings work by
sending specific types of networks traffic, called ICMP Echo Request packets, to
a specific interface on a computer network device. If the device (and the
attached network card) that received the ping packet is turned on and not
restricted from responding, the receiving machine will respond back us to the
originating machine with an Echo-Reply packet. Aside from telling us that a host
is alive and accepting traffic, pings provide other valuable information
including the total time it took for the packet to travel to the target and
return. Pings also report traffic loss that can be used to gauge the reliability
of a network connection.

All modern versions of Linux and Windows include the ping command. The major
difference between the Linux and the Windows version is that by default the
Windows ping command will send four Echo Request packets and automatically
terminate, whereas the Linux ping command will continue to send Echo-Request
commands until you force it to stop. On a Linux system, you can force a ping
command to stop sending packets by using the CTRL+C combination.

Let’s set an example from performing a ping test to Google

```
PING google.com (216.58.222.238) 56(84) bytes of data
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=1 ttl=54 time=25.0 ms
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=2 ttl=54 time=23.5 ms
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=3 ttl=54 time=20.0 ms
64 bytes from bog02s06-in-f238.1e100.net (216.58.222.238): icmp_seq=4 ttl=54 time=20.5 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 19.990/22.255/24.973/2.069 ms
```

Let’s focus our attention on the third line that starts with “64 bytes from…”.
This line is telling us that our ICMP Echo Request packet successfully reached
the IP address of 216.58.222.238 and that the IP address sent a Reply packet
back to our machines. The “64 bytes” in the line indicate the size of the packet
being sent. The “time=20.5ms” is telling you how long the entire round trip took
for packets to travel to and from the target. The “ttl=54” is a Time To Live
  value; this is used to determine the maximum number of hops the packet will
  take before automatically expiring.

  Now that you’ve a basic understanding of how the ping command works, let’s see
  how we leverage this tool as a hacker. Because we know that pings can be
  useful in determining if a host is alive, we can use the ping tool as a host
  discovery service. Unfortunately, pinging every potential machine on even a
  small network would be highly inefficient. Fortunately for us, there are
  several tools that allow us to conduct ping sweeps. A ping sweep is a series
  of pings that are automatically sent to a range of IP addresses, rather than
  manually entering the individual target’s address.a

The simplest way to run a ping sweep is with a tool called FPing. FPing is built
into BlackArch and is run from the terminal. The tool can also be downloaded for
Windows. The easiest way to run FPing is to open a terminal window and run the
following: `fping -a 182.271.23.125 182.271.23.255 > hosts.txt`. The "`-a`"
switch is used to show only the live hosts in our output. This makes our final
  report much cleaner and easier to read. The "`-g`" parameter is used to
  specify the range of IP addresses we want to sweep. You need to enter both of
  the beginning and the ending IP addresses. In this example, we scanned all the
  IPs from 182.271.23.125 to 182.271.23.125. The "`>`" character is used to pipe
  the output to a file, and the hosts.txt is used to specify the name of the
  file our results will be saved to. There are many other parameters that can be
  used to change the functionality of the FPing command. It’d be so cool if you
  could perform a couple of searches of videos, wikis and documentation pages
  about FPing.

Once you’ve run the command above, you can open the hosts.txt file that was
created to find a list of target machines that responded to our pings. These IP
addresses should be added to your target list for later investigation. It’s
important to remember that not every host will respond to ping request; some
hosts may be firewalled or otherwise blocking ping packets.
